Oracle patched two VirtualBox vulnerabilities in its SVGA graphics stack that could let a privileged attacker inside a Windows guest trigger out-of-bounds reads on the host. CVE-2020-2748 affects VirtualBox 6.1.0 r135406 in the VMSVGA/VBoxSVGA video adapter path, where guest-controlled cursor update data can supply an unchecked screen identifier that is later used in Display::i_displayVBVAReportCursorPosition, causing an out-of-bounds access to maFramebuffers[aScreenId]. STAR Labs said the flaw was disclosed through ZDI and Oracle addressed it in its April 2020 security advisory.
A separate bug, CVE-2019-3026, affects VirtualBox 6.0.4 r128413 and stems from improper validation of SVGA 3D commands in vmsvgaFIFOLoop. STAR Labs reported that a size-check macro failed to exit the intended switch block, allowing malformed command headers to bypass validation and trigger an integer underflow followed by an out-of-bounds read in vmsvga3dShaderSetConst(). Exploitation requires the attacker to already have high privileges in the guest, and for the VM to have 3D acceleration enabled; Oracle fixed the issue in its October 2019 Critical Patch Update.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
STAR Labs publicly disclosed technical details for CVE-2020-2748, describing how a privileged guest could manipulate SVGA FIFO cursor update fields to cause an out-of-bounds read in VirtualBox. The disclosure coincided with the vendor patch being available.
Oracle acknowledged CVE-2020-2748 and released a patch in its April 2020 security advisory. The issue affected the VMSVGA/VBoxSVGA video adapter path used by Windows guests and could trigger out-of-bounds access from a privileged guest.
A VirtualBox SVGA out-of-bounds read vulnerability, later tracked as CVE-2020-2748, was disclosed to Oracle through ZDI. The flaw affected VirtualBox 6.1.0 r135406 and stemmed from improper bounds checking of a guest-controlled screen identifier in cursor update handling.
Oracle patched CVE-2019-3026 and published an advisory as part of its October 2019 Critical Patch Update. The vulnerability required high-privileged code execution in the guest and 3D acceleration to be enabled.
STAR Labs reported an Oracle VirtualBox VBoxSVGA validation flaw, later assigned CVE-2019-3026, to Oracle. The bug affected VirtualBox 6.0.4 r128413 on Windows guests and could lead to an integer underflow and out-of-bounds read when processing malformed SVGA 3D commands.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.